Methods and systems for cyber-monitoring and visually depicting cyber-activities

ABSTRACT

The present invention relates to methods and systems for cyber-monitoring and visually depicting cyber-activities. In certain embodiments, there is provided a method for visually depicting cyber-activities, entities, and/or entity-relations, said method comprising: displaying on a graphical user interface multiple visual representations comprising graphical components of one or more elements in a chronological order, using a time based tracking model, wherein each of said one or more elements is selected from a cyber-activity, entity, and entity-relation; wherein each of said visual representations represents a different level of a granularity and/or hierarchy; b) optionally displaying, optionally in response to a user action, a link to a selected element in each of said multiple visual representations.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application claims priority under 35 U.S.C. § 120 to U.S. PatentApplication No. 16/287,345, filed on Feb. 27, 2019, which in turn claimspriority to U.S. Provisional Patent Application No. 62/696,896, filed onJul. 12, 2018 and U.S. Provisional Patent Application No. 62/636,368,filed on Feb. 28, 2018, the disclosures of which are incorporated byreference herein in their entireties.

FIELD OF THE INVENTION

The present invention pertains to the field of network management. Inparticular, the present invention relates to systems and methods for themonitoring, tracking, and visualizing cyber-activities.

BACKGROUND OF THE INVENTION

Computers and computer networks have become an integral part of modernsociety. As reliance on computers and computer networks has grown theimpact of failure of computer and computer networks has also grown.Moreover, anomalous cyber-activities, such as the execution ofunauthorised and/or malicious software, are a major concern for bothorganizations and individuals, which can result in significant damages.Anomalous cyber-activities can be indicative of not only maliciouscyber-activities but also human error, equipment failures, softwaremalfunction, accidents, among others. Immediate damages may include butare not limited to data deletion and/or corruption, data theft, releaseof confidential information to the public, and/or system/networkdowntime. Subsequent damages may include but are not limited tofinancial losses, social and/or political repercussion, businessinterruption, loss of competitive advantage and/or loss of intellectualproperty. Accordingly, monitoring of computers and computer networks isof great importance.

The complexity and volume of raw data generated from monitoring eventsstreams in a computer and computer network can render the identificationof anomalous cyber-activities from normal cyber-activities challenging.

SUMMARY OF THE INVENTION

An object of the present invention is to provide systems and methods forthe monitoring, tracking, and visualization of cyber-activities,entities, and entity-relations derived from raw event stream data. Inaccordance with an aspect of the present invention, there is providedmethods for visually depicting cyber-activities, entities, andentity-relations, said method comprising: a) displaying on a graphicaluser interface multiple visual representations comprising graphicalcomponents of one or more cyber-activity, entity, and entity-relation ina chronological order, using a time based tracking model. Each of theelements, which can either be a cyber-activity, an entity, or anentity-relation, is displayed as a graphical representation, whereineach of said visual representations can represents a different level ofa granularity and/or hierarchy; b) optionally displaying, optionally inresponse to a user action, a link to a selected element in each of saidmultiple visual representations; and c) optionally displaying,optionally in response to a user action, on said graphical userinterface, a graphical representation(s) of a tree(s) and/or stackassociated with one or more of said elements, which can either becyber-activities, entities, and/or entity-relations.

In another aspect of the present invention, there is provided a methodfor visually depicting cyber-activities, entities, and/orentity-relations, said method comprising: a) displaying on a graphicaluser interface multiple visual representations comprising graphicalcomponents of one or more elements in a chronological order, using atime based tracking model, wherein each of said one or more elements isselected from a cyber-activity, entity, and entity-relation; whereineach of said visual representations represents a different level of agranularity and/or hierarchy; b) optionally displaying, optionally inresponse to a user action, a link to a selected element in each of saidmultiple visual representations. In certain embodiments, each visualpresentation of said multiple visual presentations is a tree(s) and/orstack associated with one or more of said elements. In certainembodiments, the method further comprises displaying, optionally inresponse to a user action, a link to a selected element in each of saidmultiple visual representations.

In another aspect of the present invention, there is provided a methodof visually depicting cyber-activities, said method comprising: (a)extracting and/or building one or more entities and one or moreentity-relations from tracked cyber-activities from event stream(s),wherein each of said entity is representative component of a particularcyber-activity; and (b) visualizing one or more cyber-activities, saidone or more entities and one or more entity-relations on a graphicaluser interface. In certain embodiments, step (a) comprises: (i) trackingsaid cyber-activities derived from event stream(s); (ii) selectingentities from said cyber-activity(ies) and (iii) selectingentity-relations tracking model. In certain embodiments, step (b)comprises (i) displaying on a graphical user interface multiple visualrepresentations comprising graphical representations of said one or moreentities in a chronological order, using a time based tracking model;wherein each of said visual representations represents a different levelof a granularity and/or hierarchy; and ii) optionally displaying,optionally in response to a user action, a link to a selected entity ineach of said multiple visual representations.

BRIEF DESCRIPTION OF THE FIGURES

FIG. 1 provides an illustration of a visual representation ofcyber-monitoring of an embodiment of the present invention. In thisembodiment, a horizontal line/bar representing time processing from leftto right is provided with datapoints representing trackedentities/activities in chronologically ordered on the line. In thisnon-limiting example, process level activity is visualized and atimeline is created using unique process identifiers as the trackingentity for the visual representation. In this example, branchesproviding further details are displayed.

FIG. 2 illustrates an embodiment of the present invention which depictscyber-monitoring at multiple levels of granularity and at various stagesof analysis. In this embodiment, the levels of granularity includeoperators, clients, devices, processes and events. Each level ofgranularity is presented as a vertical stack with each blockrepresenting an entity/activity. A link/pathway following theactivity/entity though the various granularity stacks is alsoillustrated. In this embodiment, the top panel illustrates unprocessedentities and the bottom panel illustrates processed entities thatrequire further analysis. A stack visually depicting rules is alsoincluded in this embodiment. This form of representation may be used torepresent any type of entity including process, domain, user, logon ID.

FIG. 3 illustrates the embodiment described in FIG. 2 but furtherillustrates a text box which popped up in response to user action whichprovides further details.

FIG. 4 illustrates a multiple panel GUI which includes a panel visuallydepicting unprocessed entities as stacks at various levels ofgranularity; a panel visual depicting processed entities; a panelproviding a detailed context tree of a particular entity and a panel forrule building. Also illustrated is a text box which popped up inresponse to user action which provides further details.

FIG. 5 illustrates an embodiment of the present invention which depictscyber-monitoring at multiple levels of granularity and at various stagesof analysis. In this embodiment, the levels of granularity includeoperators, clients, devices, processes and events. Each level ofgranularity is presented as a vertical stack with each blockrepresenting an entity/activity. A link/pathway following the entitythough the various granularity stacks is also illustrated. In thisembodiment, the top panel illustrates unprocessed entity/activity andthe bottom panel illustrates processed entities that require furtheranalysis. A stack visually depicting rules is also included in thisembodiment. Also illustrated is a text box which popped up in responseto user action which provides further details with respect to aparticular rule.

FIG. 6 illustrates an embodiment of the present invention which depictscyber-monitoring at multiple levels of granularity and at various stagesof analysis. In this embodiment, the levels of granularity includeoperators, clients, devices, processes and events. Each level ofgranularity is presented as a vertical stack with each blockrepresenting an entity/activity. A link/pathway following the entitythough the various granularity stacks is also illustrated. In thisembodiment, the top panel illustrates unprocessed entities/activitiesand the bottom panel illustrates processed entities/activities thatrequire further analysis. A stack visually depicting rules is alsoincluded in this embodiment. Also illustrated is a text box which poppedup in response to user action which provides further details.

FIG. 7 provides details an example of the panel providing the treeassociated with a particular entity.

FIG. 8 illustrates an embodiment of the present invention which depictscyber-monitoring at multiple levels of granularity and at various stagesof analysis. In this embodiment, the levels of granularity includeoperators, clients, devices, processes and events. Each level ofgranularity is presented as a vertical stack with each blockrepresenting an entity/activity. A link/pathway following theentity/activity though the various granularity stacks is alsoillustrated. In this embodiment, the top panel illustrates unprocessedentities and the bottom panel illustrates processed entities thatrequire further analysis. A stack visually depicting rules is alsoincluded in this embodiment.

FIGS. 9, 10 and 11 , illustrate examples of a time-based sequencerepresentation of cyber-activities or entities and entity-relations. InFIG. 9 , individual occurrences of cyber-activities are ordered on a“Universal Timeline”, attached to the ‘root’ entity program image‘cmd.exe’ represented by the black shell icon, which represents thecyber-activities related to a specific occurrence of the execution ofthe program image ‘cmd.exe’. FIGS. 10 and 11 , are entity-relationsordered on a “Universal Timeline”, attached to the ‘root’ entity programimage ‘cmd.exe’ represented by the black shell icon, which represent astatistical summary of the underlying cyber-activities with the numberof occurrences for each specific entity-relations represented by asingle number at the top right or at the bottom of the iconographicrepresentation of the entity.

FIGS. 12 and 13 , illustrate a stack representation for the hash basedentity ‘MD5’. In FIG. 12 , the visualization represents the tracking ofthe deployment of a patch across multiple organizations and devices.Each connector from a device to the hash in questions provides visualconfirmation that the patch has been successfully implemented and thatthe hash has been executed at least once of the device. In FIG. 13 , thevisualization represents the tracking of a known malicious hash acrossmultiple devices affecting multiple organizations. The distinctionbetween the two patterns can be visually recognised.

FIGS. 14 and 15 , illustrates the ‘integration’ of one type of entitystack to produce another type of entity stack. In FIG. 14 , there is aprocess entity stack based on process PIDs for various types of entityprogram images. Each cell in the PID stack corresponds to a specificoccurrence of the execution of the underlying program image. If a user‘integrates’ over all PIDs the entity-relations ‘image-PID’ the userobtains a statistical representation of the behavior of each programimage ‘integrated’ over a set of independent execution occurrences. Inparticular, if the user ‘integrates’ over all of the entity-relations‘image-PID’ the user obtains the program entity stack found in FIG. 15 .

DETAILED DESCRIPTION OF THE INVENTION

The present invention pertains to systems and methods for visuallyrepresenting and relating cyber-activities. The methods and system ofthe present invention provide human and artificial intelligence basedcyber operators visually recognizable, distinct patterns that simplifiesand speeds up the identification and classification of normal versusanomalous behavior, both malicious and benign.

In certain embodiments the methods of the present invention extractand/or build one or more entities and one or more entity-relations fromtracked cyber-activities derived from event streams to create thevisualization models. In certain embodiments, the method forvisualization comprises a) tracking a selected cyber-activity from eventstream(s); b) selecting entities from the cyber-activity; (c) selectingan entity-relations tracking model; and d) visualizing on a graphicaluser interface.

Event Stream

Event streams may include but are not limited to process creation, filecreation, communication and process injection events, among many others.Each individual event stream may represent a single or multiple distincttypes of cyber-activities. For example, a communication event canrepresent a network file sharing cyber-activity or a cyber-activitycorresponding to a client browser “surfing” the internet.

Entities

As used herein, entities are the unique values for a parameter type,referred to as entity types, from a cyber-activity derived from one ormore event streams. As an illustrative example, ‘excel.exe’ is an entityof type program ‘image’ derived from multiple types of event streamsincluding the process creation event stream.

Event entities, extracted and/or built from the event streams,effectively and comprehensively track key cyber-activity behavior. Eachindividual event stream is parsed and enriched to produce cyber-activitybased entities required to monitor the targeted behavior for eachindividual type of cyber-activity.

For example, the event stream associated with public communications tothe Internet has a ‘destination IP’ entity that can be enriched tocreate the following entities for this type of cyber-activity: ASNOrganization, country code and geo-coordinates. In this case, these‘derived’ entities provide different levels of granularity for whichthis type of cyber-activity can be tracked. In particular, thiscyber-activity can be tracked across the physical space domain, with theentity geo-coordinates providing the finest grained level of monitoringand the country code the coarsest level of monitoring for this domain.

Entity-Relations Tracking Model

The entity-relations tracking model is chosen such that key questionscan be deterministically answered. The selection of entities andentity-relations can also determine the level of granularity of thevisual monitoring model.

For example, if the execution of all programs is to be tracked, theprogram image as an entity to be track is selected. If visualization ata more granular level of what program has executed on which machine isdesired then the device as a tracked entity is selected and theentity-relation ‘device-image’ is selected to track in order to providethe required level of granularity for monitoring.

Similarly, if it is desired to track all the cyber-activities at theindividual process level the ‘process Id’ (PID) must be tracked as anentity across multiple event streams. Likewise, if only ‘destination IP’addresses is tracked without any entity-relations the origins of theconnection to the IP address cannot be known. However, if theentity-relations: ‘image-destination IP’ and ‘device-destination IP’ aretracked, there is sufficiently granular information to know exactlywhich devices connected to this IP address and what program(s) performedthe communication to the target ‘destination IP’.

In certain embodiments, the tracking model is to be time-based. Forexample, if it is desired to track every single cyber-activity performedby a given process a full timeline tracking model must be selected suchthat each individual entity and entity-relation occurrence is trackedwith respect to time. Alternatively, if only a statistical view ofcyber-activities for a given process execution is required, then a timebased model for which only a subset of all occurrences is explicitlytracked along with a statistical representation of all occurrences, suchas, among other models, the tracking of the first occurrence, the lastoccurrence and the number of occurrences for entities and theentity-relations is selected.

Using such a tracking model the cyber-activities related to a specificprocess execution PID can be represented as an ordered sequence ofdistinct statistical summaries for each distinct entity-relation of typePID-‘tracked entity’, where the ‘tracked entity’ can be derived from anyevent stream that tracks the PID entity. The time sequence can beordered using either the date time from the first occurrence parameteror from the last occurrence parameter. Each distinct ordered visualrepresentation presents different information. For example, in order toknow the first cyber-activity performed by a process the time sequencedsummaries of the cyber-activities can be displayed using the firstoccurrence parameters. Similarly, to know what was the lastcyber-activity that the process performed before terminating then thelast seen parameter is used to present the time sequencedcyber-activities, entities and the entity-relations summaries.

Visualization

For each cyber-activity, entity, and/or entity-relation a graphicalrepresentation and/or textual representation is selected for thevisualization on a graphical user interface (GUI). In certainembodiments, the visual representations comprise one or more graphicalcomponents including but not limited to iconographic and text basedrepresentations.

For each individual cyber-activity type a distinct iconographic and/ortextual representation for the cyber-activity type is selected. Forexample, a cloud icon optionally with the text “http(s)” can representthe cyber-activity of “surfing” the Internet with a web-browser. Theselected iconography and textual descriptors are selected such that theycan represent all the possible cyber-activities being tracked from theselected set of event streams.

The text may be in the form of one or more labels or tags. Optionally,the text is displayed in response to a user's action. For example, thetext may be displayed in response to the user “clicking” or “hoveringover” the graphical representation. In certain embodiments, the one ormore visual representations may be modified in response to user action.Optionally, text is used to provide further information.

In certain embodiments, the GUI is in a multiple panel format. Thevarious panels of the multiple panel format may be used to displaydifferent visualization models, different levels of granularity,different levels of processing, and/or other information. In certainembodiments, the one or more panels are linked such that a user actionin one panel is reflected in one or more other panels.

In certain embodiments, the multi-panel format includes a decision panelthat implements a “Universal Workflow” for the monitoring of selectedcyber-activities. The decision panel provides a graphical interface fromwhere the cyber operator can select entities and entity-relations toannotate. In certain embodiments, the “Universal Workflow” prompts thecyber operator to annotate each new unique entity and entity-relationoccurrence. In certain embodiments, the annotation comprises at aminimum, a score, message and the author identification.

In certain embodiments, the multiple panel format comprises a panelproviding visual representations of unprocessed, cyber-activities,entities and/or entity-relations for tracked cyber-activities and apanel providing visual representations of processed cyber-activities,entities and entity-relations for tracked cyber-activities. In certainembodiments, only processed cyber-activities, entities and/orentity-relations for tracked cyber-activities requiring further analysisor action are visualized in the processed panel. As used herein,processing includes but is not limited to processing through theapplication of one or more rules to determine if the cyber-activities,entities and/or entity-relations for tracked cyber-activities is normaland can be ignored/suppressed, abnormal which requires further action orunknown which requires further analysis.

In certain embodiments, the methods also provide for the generation ofrules for monitoring and/or alert analysis. Accordingly, in certainembodiments, the GUI provides a visual representation of the rules thathave been applied and/or a section for rules generation/application. Inspecific embodiments, the GUI is in a multiple panel format andcomprises one or more panels relating to rules, including for example apanel depicting rules applied and/or a panel for the rules generation.

The system and methods of the present invention utilize one or morevisualization models. One of the visualizations models is a time basedsequenced “tree” representation for cyber-activities, entities and/orentity-relations for tracked cyber-activities while another is amulti-relational stack representation for cyber-activities, entitiesand/or entity-relations for tracked cyber-activities. Theserepresentations can be used independently or synergistically to providein-depth quantitative context for cyber-activities.

In certain embodiments, a time based sequenced “tree” representation isused to represent the tracked entities and entity-relations forcyber-activities selected from the event stream. In this visualization a“root” tracking entity type is selected for which a chronologicallyordered sequence of entity-relations is represented, optionally on astraight cartesian line, starting from an occurrence of the “root”entity type, using one or multiple visual representation for theentity-relations including, but not limited to, its iconographic and/ortextual representation(s). The use of cartesian representation maximizesthe utilisation of visual real estate on the GUI.

In certain embodiments, the spacing between of the entity-relationsrepresents the actual time axis. In other embodiments, a “UniversalTimeline” is used that spaces out the entity-relations such that allentity-relations are equally spaced. In specific embodiments, whenmultiple of these entity-relations “Universal Timeline” are stackedtogether a cartesian grid is formed. If occurrences of the selected“root” entity type has relations to other occurrences of the “root”entity type then the visualization will use a visual ‘branch’ model tostart up another “Universal Timeline” for the sub-branch ofentity-relation. This sub-branch structure can re-occur at any level andlocation in the visualization if there are additional entity-relationsbetween the root entity type.

For example, if the selected events streams includes process creation,file creation, and process injection, among others, the tracked entitiesincludes the entity types ‘PID’, ‘image’, ‘target file’, and ‘targetimage’, among others, the tracked entity-relations includes ‘image-PID’,‘PID-target file’, and ‘image-target file’, among others, and thetracking model is fulltime line, then the visualization represent thefull process tree for each process execution occurrence. The branchingcorresponds to the cyber-activity of a parent process spawning a childprocess, where the sub-branch corresponds to the child's full processexecution history, i.e. a complete history of all cyber-activitiesgenerated from the child process. If the tracking model only tracks thefirst occurrence, the last occurrence and the number of occurrences thenthe process “tree” collapses to a statistical representation of allcyber-activities summarized by entity-relations and ordered by the timeparameter for the first occurrence or the last occurrence. Thevisualization can dynamically ‘switch’ between these time based trackingmodels. Similarly, this visualization can be used on any other entitytype and entity-relations across any type of event streams.

In certain embodiments, the visualization models is based on relationalstack representations. A “stack” is a structure, optionally vertical,comprising individual cells, which are also referred to as “chips”, thatare stacked, optionally one on top of another, where each individualcell represents an entity derived from cyber-activities from eventstream(s). Each stack represents a specific type of tracked entity, or agroup of entity types or cyber-activities.

For example, from the process creation event stream derived entities canproduce a multi-stacks representation, where each individual stackrepresents one of the following entities: organization, domain, user anddevice. The entity-relations between these various stacks enable amultitude of orderings as long as each of the entity based stacks hasentity-relations with its nearest neighbors, then the relational stackmodel can be represented visually implemented using connectors betweencells along with informational decorators on the connectors to providecontextual information between stacks, such as the number ofconnections, among others. This model enables the full linking of allthe cells in each stacks to cell(s) in the nearest stack(s), which inturn enables the visualization of all relations across all entitiessimultaneously.

The patterns produced by linking cells between entity stacks produces aseries 1-to-N independent relations to nearest neighbor cells. Theseentity-relations represented through connectors in the relational stackrepresentation can enable a multitude of questions to be answered. Forexample, using the following entity stack ordering: organization,devices, hashes, a cyber operator can visually identify which deviceshas been infected by a specific malicious hash and what organizationhave been affected by the infection. Similarly, this relational stackrepresentation can be used to track the patching of software on devicesby tracking the propagation of the device-hash relation, which isvisually represented by connectors between the device based cell stacksand the hash based cell stack. Moreover, the patterns produced by bothof these use cases are sufficiently distinct to enables the visualidentification of the propagation of a new patch versus the normalpropagation of malware and/or use of unauthorized software.

In certain embodiments, each cell in a stack is visually represented bya general cartesian rectangle, which can be dynamically expanded, andcompressed down to a single pixel in either height and/or width. Incertain embodiments, each cell has a color coding that represents anentity type or value ‘type’ and can also contain text based informationthat, optionally is only revealed when the cell is sufficientlyexpanded. In certain embodiments, the cell has an iconographic and/ortextual representation of the cyber-activity or entity it represents,which is visually presented, optionally in response to user input, tothe left or right of the cell's rectangle. In certain embodiments, thisvisual component can be ‘pulled’ out of the cell or ‘pushed’ back in tominimize the over real estate used by the GUI. In certain embodiments,the cell also contains information components that can presented using apop-up, which can dynamically reveal different pieces of information,including but not limited to the number of connectors to the right andthe number of connectors to the left, along with summaries of the valuesof the entity-relations with the nearest neighbor stack of cells to theleft and/or right.

In certain embodiments, the stacks can also perform ‘integration’ forcertain types of entity stacks to produce a new entity stack. Forexample, a process entity stack can be ‘integrated’ over the processPIDs in order to produce a program image entity stack. This type oftransformation enables a user to quickly recognize the normal patternsof behavior for any given program image across a large number of processexecutions. In certain embodiments, each of the stacks can be sorted byentity values, time, or any other available parameter. In certainembodiments, each of the stacks can be filtered by entity values, time,and/or any other available parameter.

In certain embodiments, a number of elements, either entities and/orcyber-activities, are displayed in the stack and optionally are storedin a buffer/queue at the ‘top’ and ‘bottom’ of the stack with a textualrepresentation of the number of elements in each of the buffer/queue. Inembodiments where the monitoring is for a particular time period, thetime period may be actual time or based on a certain number of elements.The time periods may be scheduled time periods or may be started andstopped in response to a user's action. For example, the duration of theperiod may be of any duration including, but not limited to, one hour,one day, one week, one year or any number of distinct elements includingbut not limited to 50, 100, 200, etc. Optionally, the methods and systemof the present invention, include a record of the number of elements andoptionally visually displays a number count.

In certain embodiments, time period, when completed, are archived. Incertain embodiments, the monitoring is on-going.

In addition, these visualization models can contain informationaldetails with respect to specific elements, such as cyber-activities, anentities and/or an entity-relations, that may be displayed as a pop-upin response to a user controlled action. In certain embodiments, thevisual representations of specific elements, such as cyber-activities,entities and entity-relations, is comprised of one or more graphicalcomponents which can be iconographic and text based. Optionally,specific components can be displayed in response to a user's action,such as on hover over present a text based summary of the element, amongother possibilities. For example, a text based component may bedisplayed in response to the user “clicking” on the iconographicrepresentation of the element. In certain embodiments, one or morevisual components may be modified in response to user action.

In certain embodiments, the GUI is in a multiple panel format andcomprises a panel providing visual representations of unprocessedcyber-activities, entities and/or entity-relations, and a panelproviding visual representations of processed cyber-activities, entitiesand/or entity-relations. In certain embodiments, only processedcyber-activities, entities and/or entity-relations requiring furtheranalysis or action are visualized in the processed panel. As usedherein, processing includes but is not limited to processingcyber-activities, entities and/or entity-relations through theapplication of one or more rules to determine if the cyber-activities,entities and/or entity-relations is normal and can beignored/suppressed, abnormal which requires further action or unknownwhich requires further analysis.

The methods of the present invention, also provides for the generationof rules for monitoring cyber-activities, entities and/orentity-relations. Accordingly, in certain embodiments, the GUI providesa visual representation of the rules that have been applied and/or asection for rules generation for cyber-activities, entities and/orentity-relations. In specific embodiments, the GUI is in a multiplepanel format and comprises one or more panels relating to rules,including for example a panel depicting rules application and/or a panelfor the rules generation. The rules enable the automated processing ofcyber-activities, entities and/or entity-relations from the‘unprocessed’ panel to the ‘processed’ panel. This process visuallydepicts the digital workflow that cyber operator can implement using themethods and system described in this application.

In certain embodiments, the tracked cyber-activities can include but arenot limited to the creation, modification or deletion of files; thecreation, modification or deletion of a registry keys and values; thecreation, modification or deletion of a windows managementinstrumentation class and instance; network communications includingconnections to both public and private, among other measurablecyber-activities. The tracking of these cyber-activities along with thetracking of selected entities and entity-relations provide cyberoperators with the monitoring required to track the following set ofactions:

-   -   1. Attached Word document is opened from an email received in        Outlook; the attached document starts up a VBA macros that        spawns an instance of PowerShell; the instance of PowerShell        connects to a public IP address and downloads a malicious piece        of software.    -   2. Excel spreadsheet is opened up from a USB key; excel        spreadsheet starts up

VBA macro that sets an ‘auto-start’ registry key with a valuecorresponding to a PowerShell execution command; at machine restart the‘auto-start’ registry key enables the execution of the PowerShellcommand; PowerShell connects to a public IP address and downloads amalicious piece of software.

-   -   3. User downloads from the Internet a zip file; user unzips the        files in a new folder which includes an executable file; user        manually executes the executable file.

In certain embodiments, the graphical components for thecyber-activities, entities and entity-relations include text. This textmay be in the form of one or more labels or tags providing furtherinformation. Optionally, the text is displayed in response to a user'saction. For example, the text may be displayed in response to the user“clicking” or “hovering over” a graphical component of therepresentation.

In certain embodiments time based ordered visual representations may bepaused, “rewound” and/or “fast forwarded” in response to a user actionor at a scheduled timepoint. Optionally, the methods and system of thepresent invention provides search option to search cyber-activities,entities and entity-relations and/or a filter option such that onlycertain elements can be selected and displayed.

The cyber-activities, entities and entity-relations may be displayedautomatically or in response to a user's actions. All cyber-activities,entities and/or entity-relations or selection of the cyber-activities,entities and entity-relations may be displayed. Accordingly, in certainembodiments, methods for filtering cyber-activities, entities andentity-relations utilize one or more criteria. The filtering maycomprise inclusion filtering such that cyber-activities, entities and/orentity-relations meeting the one or more inclusion filtering criteriaare displayed. The filtering may also comprise of exclusion filteringsuch that cyber-activities, entities and/or entity-relations meeting oneor more exclusion filtering criteria are not displayed. Criteria mayinclude but is not limited to any key-value pair(s) contained in thecyber-activities, entities and/or entity-relations. For example, thiscan include a particular user account, a particular device, and/or aparticular organization, among other possibilities.

In certain embodiments, the methods of the present invention depictcyber-activities, entities and/or entity-relations at one or more levelsof granularity. These levels of granularity include but are not limitedto the cyber operator level, organizational level, domain level, sitelevel, network level, sub-network level, group asset level, devicelevel, user level, operating system level, and process level, amongothers. In specific embodiments, the method of the present inventiondisplays cyber-activities, entities and/or entity-relations in hierarchycomprising the following levels: operators, clients, devices, processesand events. A panel may depict one or multiple levels of granularity.

The following example of a cyber-activity at various granularity levelsfor a registry key modification in device #5 in network #2 oforganization A is provided as a non-limiting illustrative example only:

-   -   Network level: The method would provide a visualization of the        cyber-activity in network #2 of organization A.    -   Device level: The method would provide a visualization of the        cyber-activity in device #5 in network #2 of organization A.    -   Event level: The method would provide a visualization of the        cyber-activity of a registry key modification in device #5 in        network #2 of organization A.

The method further comprises, optionally displaying, optionally inresponse to a user action, a link/pathway to a selected cyber-activity,entity and/or entity-relation in each of level of granularity; andoptionally displaying, optionally in response to a user action, on saidgraphical user interface, a graphical representation(s) of the timebased sequenced “tree” representation of the cyber-activity, entityand/or entity-relation.

In certain embodiments, the methods further comprise characterizing eachcyber-activity, entity and/or entity-relation as normal or anomalousbased on a cyber operator annotation and/or cyber operator defined ruleand/or its statistical deviation from the normal baseline. Optionally,when an anomalous cyber-activity, entity and/or entity-relation has beenidentified, the method of the present invention initiates downstreamactions, including but not limited to automatic notifications and/orautomatic countermeasures.

In specific embodiments, the selected event streams produced by thedeployed sensors across the computer and computer network can beadjusted to increase or decrease the level granularity for the monitoredevent streams. Increased visibility can also be achieved by starting upnew event streams to achieve finer grained monitoring ofcyber-activities. For example, when a network is actively under attackby an adversary the cyber operator can increase the visibility of themonitoring by changing the configuration of event streams and bystarting up new event streams. In particular, the cyber operator maychoose to remove all filters on the ‘process creation’ event stream, tohave complete visibility into this event stream, and to start up the‘module loaded’ event stream to track all modules loaded into processmemory space. This can enable to track behavior, such as librariesloading into a running process, which can provide the insight requiredto track the adversaries behaviour.

Although the invention has been described with reference to certainspecific embodiments, various modifications thereof will be apparent tothose skilled in the art without departing from the spirit and scope ofthe invention. All such modifications as would be apparent to oneskilled in the art are intended to be included within the scope of thefollowing claims.

The embodiments of the invention in which an exclusive property orprivilege is claimed are defined as follows:
 1. A method forcyber-monitoring and visually depicting cyber-activities, said methodcomprising: a) tracking cyber-activities derived from event stream(s);b) extracting, building or extracting and building one or more entitiesand one or more entity-relations from said tracked cyber-activities,wherein each of said entity is a representative component of aparticular cyber-activity; c) characterizing the entities from step b)as normally-occurring, unknown or anomalous; d) excluding entities whichare normally-occurring from further review; and e) reviewing any unknownor anomalous entity(ies) by: (i) displaying on a panel of a graphicaluser interface (GUI) a set of relational stack representations whereeach stack represents a different level of granularity; each stackcomprising cells in a chronological order, where each cell represents anentity from the one or more entities not excluded in step d); andwherein each cell comprises information regarding the entity the cellrepresents that can be visualized in response to user input; (ii)selecting an entity from step e)(1) to visualize across levels ofgranularity; (iii) displaying, automatically or in response to a useraction, links between the selected entity in neighboring stacks toprovide a pathway following the selected entity across levels ofgranularity and thereby produce a pattern of relations for said selectedentity across said levels of granularity; and (iv) characterizing saidselected entity as normal or anomalous based on said pattern ofrelations.
 2. The method of claim 1, wherein step c) comprisesapplication of one or more rules to characterize the entities as beingnormal.
 3. The method of claim 1, wherein each cell can be expanded orcompressed.
 4. The method of claim 1, wherein each cell has colorcoding.
 5. The method of claim 1, wherein step b) comprises: (i)selecting entities from said cyber-activity(ies); and (ii) selecting anentity-relations tracking model.
 6. The method of claim 1, wherein saidrelational stack representations comprise stacks representing entitiesat organization, domain, user and device levels of granularity.
 7. Themethod of claim 1, wherein said relational stack representationscomprise stacks representing entities at devices, processes and eventslevels of granularity.
 8. The method of claim 1, wherein the GUI is amultiple panel format and one or more panels are linked such that useraction in one panel is reflected in one or more other panels.
 9. Themethod of claim 8, wherein said GUI comprises panels displayingdifferent levels of processing.
 10. The method of claim 8, furthercomprising displaying a tree representation in a second panel.
 11. Themethod of claim 8, wherein said GUI comprises one or more panelsproviding a visualization of rules for the automated processing thathave been applied and/or rules generation.
 12. The method of claim 8,wherein said GUI comprises a panel for implementing a workflow.
 13. Themethod of claim 1, wherein the characterization as normal or anomalousis automatic based on rules.
 14. The method of claim 1, furthercomprising initiating downstream actions following characterization ofan entity as anomalous.
 15. The method of claim 1, further comprisingdisplaying on a second panel of said GUI a further relational set ofstack representations having the same levels of granularity; each stackcomprising cells in a chronological order, where each cell represents anentity from the one or more entities not excluded in step d); andwherein each cell comprises information regarding the entity the cellrepresents that can be visualized in response to user input.